Company
Support
Login
BifrostConnect BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel

    Create a Zero Trust network without VPN Tunneling

    Clientless Serial Tunnel

    Establish a Serial (RS232) connection without borders

    Offline File Transfer

    Transfer files without exposing endpoints to the internet

  • Who We Help
    Case Studies
    Damgaard Automatik Case Study
    SGS Case Study
    Luságua Case Study
    Operational Technology
    Engineering & Commissioning
    Cybersecurity & Compliance
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
    NIS2
  • Pricing
  • OT Cybersecurity
    Best-practice Guide for Secure 3rd party remote access in OT
    OT Cybersecurity Landscape: Denmark 2027
    NIS2 Remote Access WHITE PAPER
Contact Us
BifrostConnect
  • How it Works
    Zero Trust by design
    How it Works
    Direct Native Access (DNA)
    Direct Tunnel Access (DTA)
    Clientless Tunnel Access (CTA)
    Clientless IP Tunnel
    Clientless Serial Tunnel
    Offline File Transfer
  • Who We Help
    Cybersecurity & Compliance
    Engineering & Commissioning
    Operations
    Industries
    Energy & Utilities
    Water Management
    Vandværker
    Industrial Automation & Manufacturing
    Pharma, Life Science & Healthcare
    Testing, Inspection & Certification
    Logistics, Transportation & Maritime
    Banking & Financial Services
  • Resources
    Company
    Zero Trust by design
    Release Notes
    Knowledge Center
    Tours & Tutorials
    FAQ
    Blog
  • Pricing
  • Support
  • OT Cybersecurity
    OT Cybersecurity Landscape: Denmark 2027
    Best-practice Guide for Secure 3rd party remote access in OT
    NIS2 Remote Access WHITE PAPER
Book a Demo
Contact Us

Getting Started

12
  • Admin
    • Set up your organization
    • User roles and permissions
  • Onsite User Guides
    • Onsite Step Guide
    • Connect KVM
    • Connect IP Tunnel
    • Connect Offline File Transfer
    • Connect USB Tunnel
    • Connect Serial Tunnel
    • Connect SSH
    • Connect Serial Terminal (Console Access)
  • Datasheets
    • Technical Specifications
    • Requirements

Technical Support

2
  • Feedback & Feature requests
    • Share your ideas and feedback
  • Report a bug
    • Reporting Bugs 

Release Notes

21
  • 2026
    • Remote Access Interface Release 25 June 2026
    • Direct Tunnel Release 1 June 2026
    • Bifrost Release 13 January 2026
  • 2025
    • Bifrost Release 30 Oktober 2025
    • Bifrost Release 19 August 2025
    • Bifrost Release 30 June 2025
    • Bifrost Release 11 February 2025
  • 2024
    • Bifrost Release 04 December 2024
    • Bifrost Release 16 November 2024
    • Bifrost Release 2 Oktober 2024
    • Bifrost Release 14 August 2024
    • Bifrost Release 7 May 2024
    • BifrostConnect Firmware V4.8.0
  • 2023
    • BifrostConnect Firmware V4.7.0
    • BifrostConnect Firmware V4.6.0
    • BifrostConnect Firmware V4.5.0
    • BifrostConnect Firmware V4.4.0
  • 2022
    • BifrostConnect Firmware V.4.3.2
    • BifrostConnect Firmware V.4.3.1
    • BifrostConnect Firmware V.4.2.0
  • 2021
    • BifrostConnect Firmware V.4.0.0

Best Practice Guide

14
  • About this guide
  • Core Framework
  • Architecture & Principles
  • Threat Context
  • Zero Standing Privilege
  • Four OT Access Patterns
  • Degraded Mode & Legacy Equipment
  • Defence in Depth
  • Compliance & Implementation
  • Residual Risks
  • Definitions
  • References
  • Operational Lifecycle 
  • Procurement Appendix

Implementing the OT Best Practice Framework with BifrostConnect

6
  • Overview and Framework Mapping
  • Threat Model
  • Scenario Implementation – Scenario 1
  • Scenario Implementation – Scenario 2
  • Scenario Implementation – Scenario 3
  • Scenario Implementation – Scenario 4
  • Home
  • Knowledge Center
  • Implementing the OT Best Practice Framework with BifrostConnect
  • Scenario Implementation – Scenario 3
View Categories

Scenario Implementation – Scenario 3

SCENARIO OVERVIEW
What are the four OT access scenarios, and which BifrostConnect products map to each?

Part 1 defines four scenarios derived from two axes: where the programming software is located (engineering station vs vendor PC) and the scale of the OT operation (small with no SOC vs large with SOC, PAM, SIEM). Each scenario maps to a specific BifrostConnect product mix.The figure below shows the four implementations side by side. The detailed configuration for each scenario follows in the next four sections.

SCENARIO 3 · PATTERN D
How is BifrostConnect implemented for Scenario 3 (small OT, vendor-owned PC)?

Part 1 requirement recap: Small utility, software licensed on the vendor technician’s own PC (common for Danish water sector). The vendor travels to the site with their own laptop and connects it to the OT network. Part 1 identifies this as the highest proportional risk: an uncontrolled device in direct contact with PLCs, with no enterprise IT to harden it.

BifrostConnect implementation. Primary products: Unattended Bifrost Unit + Direct Tunnel Access + SessionGuard (enforced session recording to a customer-controlled log server when deployed per the hardening guidance) + Bifrost Manager. The SessionGuard recording engine is designed to be packaged with the Direct Tunnel Access client and must be installed on the technician PC.

Configuration:

  • Bifrost Unit deployed on the OT network as the access gateway. Unattended variant is the canonical default (admin-initiated session via Manager + MFA + mobile-app verification); the attended variant is selected where on-site personnel must physically authorise each session via the Unit’s TOTP button.
  • Bifrost Unit maintains outbound-only connection to BifrostConnect Service on port 443 (4G or WAN). OT Island principle enforced: outbound only, no inbound port open.
  • Vendor PC connects via Direct Tunnel Access (WireGuard tunnel, scoped to specific subnet/IP) or Direct Native Access (browser KVM, no network-layer connectivity). The choice determines the security profile.
    • Direct Native Access (KVM): vendor PC has zero network access to OT assets. Video stream only. Highest isolation.
    • Direct Tunnel Access: vendor PC gets scoped, temporary IP connectivity. Necessary when vendor software must send IP traffic to PLC. Lower isolation than Direct Native Access but still session-scoped and recorded.
  • SessionGuard is designed to deploy on a customer-owned recording VM per vendor engagement. WebRTC screen capture and keystroke logging flow directly from the vendor operator console to the customer’s VM by design.
  • Physical masquerading on the Bifrost Unit ensures only the Unit’s IP is visible to OT equipment.
  • TOTP button on the attended Unit enforces on-site consent for every session.

Compliance evidence mapping (Part 1, Scenario 3 regulatory alignment):

Requirement (source)Technical evidence BifrostConnect providesOrganisational control still required
NIS2 Art. 21(2)(d): supply chain (vendor PC on OT network)Bifrost Unit prevents vendor PC from joining OT network (KVM) or constrains access to scoped tunnel (Direct Tunnel). Individual identity captured.Vendor device security requirements in contract, self-certification or attestation of device compliance, defined maintenance procedure.
NIS2 Art. 21(2)(e): security in network maintenanceSession recording of all maintenance activity, time-bounded access windows.Change request documentation (even a logged email approval for small orgs), post-maintenance verification by operations.
NIS2 Art. 21(2)(i): access control for vendor device accessGateway-level authentication, TOTP, individual identity, scoped network access.Written vendor access policy, process for vendor de-provisioning when contract ends.
IEC 62443-2-4:2024 SP.07 Remote access + SP.01 Solution staffingBifrost Manager identity, SessionGuard recording, time-limited session.Technician qualification verification, documented scope per maintenance task.
BEK 260 §§51-53: only authorised endpoints on OTBifrost Unit broker – vendor PC never directly on OT LAN (KVM) or scoped-only (Direct Tunnel).Written endpoint authorisation policy, physical access procedures for on-site maintenance.

Implementation requirements for Scenario 3. Scenario 3 is the highest-risk quadrant by Part 1’s analysis (vendor PC, small OT). The following deployment decisions make the BifrostConnect control envelope hold:

  • Recording layer ownership: SessionGuard is designed to capture the operator’s screen and keystrokes. Pair it with OT-IDS co-deployment when protocol-level evidence on Modbus / OPC UA / S7comm is also required – the two recordings together produce the complete forensic chain.
  • Recording VM as a deployment dependency: SessionGuard is designed to run on a customer-deployed VM per engagement. Schedule the VM build, ownership and patch responsibility before the first vendor session. The recording claim is real once the VM is in place.
  • Acceptance test as a go-live gate: validate three properties before the first production session: (a) the session cannot start when the recording VM is unreachable, (b) recordings land in customer-controlled storage, (c) tampering alerts reach the SOC. Document the test result in the rollout runbook.
  • Operator-side platform: deploy the Direct Tunnel Access client (installed lightweight client on macOS / Windows; supports multi-user parallel access and subnet mapping). Match the deployment to the vendor’s tooling rather than retrofitting later.
  • Access model selection: when KVM (Direct Native Access) covers the vendor’s task, use it – the vendor PC then has zero IP path to OT. Reserve Direct Tunnel Access for tasks that genuinely need IP-level interaction (e.g. firmware uploads, multi-port debug). Documenting the choice per task closes the audit trail.

Maturity profile: minimum viable vs target state (Scenario 3). Scenario 3 is Part 1’s highest-risk quadrant. Minimum viable closes the BEK 260 §§29-32 (supplier procedures), §§51-53 and §55 stk. 2 and NIS2 supply-chain gap; target state adds the depth needed for sites where the regulator will examine the deployment after an incident.

CapabilityMinimum viable (Scenario 3 floor)Target state (Scenario 3 ceiling)
IdentityUnattended Bifrost Unit (canonical default) with attended variant available where on-site authorisation is required; per-vendor accounts in Bifrost Manager.Federated SSO via Bifrost Manager Dedicated Cloud / on-premises tier; conditional access on admin sign-in (delivered through the customer’s federated IdP).
RecordingSessionGuard on a customer-deployed VM per engagement (the recording floor).SessionGuard plus OT-IDS packet capture for protocol-level evidence; tamper alerts to SOC.
Network boundaryBifrost Unit (unattended canonical, attended variant where required), outbound-only, masquerading active.Bifrost Unit attended + 4G/LTE out-of-band + scheduled time-bound Direct Tunnel Access (Advanced plan or Dedicated Cloud tier).
Vendor PC trustVendor PC connects via attended session, scoped to specific endpoints.Direct Native Access preferred over Direct Tunnel Access where the task allows; access model documented per task.
Audit + monitoringAudit via the Manager/Service; SIEM forwarding (Dedicated Cloud tier).Manager + OT-IDS + diode-protected unidirectional log export to enterprise SIEM.
Updated on July 14, 2026
Scenario Implementation – Scenario 2Scenario Implementation – Scenario 4
Essentials Logo
Islands Brygge 55
2300 Copenhagen S, Denmark
+45 70 60 20 56
[email protected]
About Us
Release Notes
Privacy Policy
Terms & Conditions
FAQ
Book a Demo
Book a Demo

Subscribe to Our Newsletter

Copyright BifrostConnect ApS. 2026
All Rights Reserved